The US Securities and Exchange Commission (SEC or Commission) has announced its first enforcement action against a company for using restrictive language in confidentiality agreements, resulting in a Cease and Desist Order by consent that removed language that the SEC asserted could stifle the whistleblowing process.

The SEC charged Houston-based KBR Inc. with violating whistleblower protection Rule 21F-17 under the Dodd-Frank Act by using language in confidentiality agreements in internal investigations that employees could interpret as prohibiting them from disclosing information to the SEC or other government agencies. KBR, a global technology and engineering firm, agreed to pay a $130,000 penalty to settle the charges. KBR also agreed to amend its confidentiality agreements to state explicitly that employees are free to report potential violations to the SEC or other federal agencies without notice to KBR and without KBR approval.

Rule 21F-17 prohibits companies from taking any action to deter whistleblowers from reporting possible securities violations to the SEC. Specifically, Rule 21F-17 states that “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement … with respect to such communications.”

KBR required witnesses in certain internal investigations to sign confidentiality agreements that contained the following provision: “I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department. I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination.”

According to KBR, these confidentiality agreements were used in connection with internal investigations conducted in Iraq and, to some extent, in the United States. Since KBR did not have lawyers on site at every location, the company hired investigators to interview witnesses. To preserve the attorney-client privilege the witnesses were required to sign the confidentiality agreements.

Many companies provide direction in internal investigations not to share information for the additional purpose of preserving the integrity of the investigation. The US National Labor Relations Board has also expressed concern about such provisions violating Section 7 of the National Labor Relations Act. Similarly, in October 2014, the Financial Institution Regulatory Authority (FINRA) issued guidance warning firms that it was a violation of its own rules to include confidentiality provisions in settlement agreements or other documents that would restrict any person from communicating with the SEC, FINRA, or any other regulatory agency regarding a possible violation of the securities laws.

KBR agreed to remove the offending language and substitute the following in its form confidentiality agreement:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

The SEC’s Order acknowledges that the Commission is not aware of any instance in which any KBR employee was actually prevented from communicating directly with the SEC about potential securities law violations, or in which KBR enforced the confidentiality agreement, or otherwise prevented an employee from communicating with the SEC. Nonetheless, the need for pre-clearance of all communication with third parties was viewed as having a potential chilling effect on a whistleblower’s willingness to report illegal conduct to the SEC.

The SEC will likely continue to be on the look-out for companies using confidentiality provisions that could inhibit potential whistleblowers. This past fall, Sean McKessy, chief of the SEC’s office of the whistleblower, warned that the SEC’s Division of Enforcement staff was searching for cases in which companies used confidentiality provisions that might prohibit employees from reporting violations to the SEC. More recently, Mr. McKessy advised companies “to review and amend existing and historical agreements that in word or effect stop their employees from reporting potential violations to the SEC.”

The explicit language that KBR added to its agreement is likely to be viewed as a safe harbor provision by the SEC in the near term. It is possible that alternative language would be found non-objectionable by the SEC as well. Companies should heed this example and review Codes of Ethics, and all existing employment, confidentiality and severance agreements to determine if they contain any provision that could be considered similarly restrictive and then determine what, if any, amendments are necessary.